AEPD (Spain) - PS/00406/2020: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 50: Line 50:
}}
}}


The AEPD imposed a fine of € 50,000 to EQUIFAX IBERICA, S.L. for including the personal data of the claimant in its solvency file without legal basis for it.  
The Spanish DPA (AEPD) imposed a fine of € 50,000 to EQUIFAX IBERICA, S.L. for including the personal data of the claimant in its solvency file without legal basis for it.  


==English Summary==
==English Summary==

Revision as of 10:31, 17 March 2021

AEPD - PS/00406/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1)(f) GDPR
20(1)(c) LOPDGDD
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 09.03.2021
Fine: 50.000 EUR
Parties: EQUIFAX IBERICA, S.L.
National Case Number/Name: PS/00406/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: CSO

The Spanish DPA (AEPD) imposed a fine of € 50,000 to EQUIFAX IBERICA, S.L. for including the personal data of the claimant in its solvency file without legal basis for it.

English Summary

Facts

Testa Residencial, as creditor, and Equifax, as responsible for the credit information file, had signed a contract. This contract established that Equifax had to send a payment request letter to Testa's debtors before including their personal data in the file.

The claimant received the payment request, but did not receive information about the fact that, if she did not pay, her data would be included in the credit file. For this reason, the claimant turned to the AEPD.

Dispute

Did Equifax have the legitimacy to include the claimant's data in its credit file?

Holding

In accordance with Article 20 of the Spanish Data Protection Act (LOPDGDD), individuals should be aware that if they do not pay their debts, their personal data will be included in the solvency file. This information could have been provided by Testa at the time of contracting or, failing that, by Equifax when it sent the payment request. However, neither of the two entities informed the respondent about it, so the inclusion of the data implies an illegitimate processing of personal data.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                1/13








        Procedure No.: PS / 00406/2020

                   RESOLUTION OF SANCTIONING PROCEDURE


    Of the procedure instructed by the Spanish Agency for Data Protection and based on
    to the following:

                                     BACKGROUND


    FIRST: Mrs. A.A.A. (hereinafter, the claimant) dated July 30, 2019
    filed a claim with the Spanish Data Protection Agency. The
    The claim is directed against EQUIFAX IBERICA, S.L. with NIF B80855398 (as
    successive, the claimed or EQUIFAX). The reasons on which you base the claim are that
    Your data has been included in the Asnef credit and equity solvency file.

    Equifax without such debt and without notifying it that it was going to be included. That once
    included in said file has not been notified either.

       And, among other things, it provides the following documentation:


 Copy of the letter addressed to the claimant and sent by Testa Residencial Socimi, S.A.
    dated June 20, 2019 where it appears:

o "Contract end date": 08/02/2019

o "Relative to": *** ADDRESS.1
o It includes, among other things, the following text: “… We take this opportunity to remind you
    that, according to our accounting entries, today owes the sum of XXXX, XX €
    in respect of non-payment of income…. "


 Copy of the letter addressed to the claimant and sent by Testa Residencial Socimi, S.A.
    dated June 10, 2019 where:

o It consists, among others, of the following text: "That in relation to the lease

    number, *** REFERENCE. 1 that we have with you about the property located in
    *** ADDRESS.1, has been detected in our accounting entries of "Testa
    Residencial Socimi, S.A. "an outstanding debt of XXXX, XX €. - euros,
    corresponding to the non-payment of the receipts of May 2018 (debt assigned by
    Building Center) July 2018 as well as February, March, April, May and June 2019 and

    consumption. "

 Copy of letter addressed to Testa Residencial Socimi, S.A. and sent by the claimant
    where it consists:


o That this letter is a reply to the one received on June 13, 2019.
o That the debt for the month of May and July 2018 does not exist, since that of May was
    Transfer of the YYY € they claimed was made by the Gijón city council.
    That a copy of the proof of payment was sent to Testa on March 23, 2019.
o That regarding the debt for the month of July 2018, they did not receive a receipt.

o That with respect to payments for the months of February, March, April, May, June, July
    2019 they were asked to use the Security Deposit and the surety for payment.

    C / Jorge Juan, 6 www.aepd.es
    28001 - Madrid sedeagpd.gob.es 2/13








           o That your family is considered severely vulnerable at risk of
              social exclusion.

     Copy of letter addressed to the claimant and sent by Financiera El Corte

       English. dated July 12, 2019 where the text appears:
       “After reviewing your financing request, we have consulted your data in the
       Patrimonial Solvency Files. We inform, in accordance with the legislation
       in force, that as of today, you appear with annotations in the following
       file:

       ASNEF-Equifax
       For this reason, your request for funding has not been accepted. "

     Copy of "housing lease agreement" dated August 3,
       2016 and signed by the complainant and Buildingcenter, S.A.U. as part
       landlord regarding the house "*** ADDRESS.1" where it appears:


           o In the "ADDITIONAL GUARANTEE" section:
              “… Both parties agree to guarantee the payment of the rent and
              any other economic obligations arising from the contract,
              as well as possible responsibilities of any other kind,

              arising from the occupation or breach of the lease of
              additional form to the bond, by delivering to Buildingcenter S.A.U
              of a deposit for a maximum amount of two thousand five hundred and fifty
              with zero cents equivalent to six monthly rent payments (2,550.00
              €. The total or partial execution of said deposit is optional
              Buildingcenter S.A.U, which may exhaust other ways to obtain payment

              and / or the resolution of the contract independent of the guarantee that the
              deposit supposed. "
           or “3.- RETURN OF POSSESSION.- At the end of the
              leasing, whatever the cause that produces it, the
              LESSEE must leave the HOUSING free, empty, and expedited, to

              disposal of the LESSOR, as well as free of charges,
              obligations and debts of any kind, without the need for prior notice
              nor required, within twenty-four (24) hours after the
              said completion, delivering within said period the home to the
              LESSOR in the manner that results from what is established in the
              fifth clause of this document. "

           o There is no notice of a possible communication of the data of the
              complainant to delinquency files in case of non-payment.

SECOND: In view of the facts denounced in the claim and the
documents provided by the claimant, the Subdirectorate General for Inspection of

Data proceeded to carry out preliminary investigation actions for the
clarification of the facts in question, by virtue of the powers of investigation
granted to the control authorities in article 57.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter RGPD), and of
in accordance with the provisions of Title VII, Chapter I, Second Section, of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of

digital rights (hereinafter LOPDGDD).

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/13








       The actions carried out since the claim was received are as follows
following:


       On August 27, 2019, it was agreed to reject the claim.

       On September 27, 2019, the claimant filed an appeal for
replacement by providing the following documentation, among others:

    1. Letter addressed to the claimant sent by EQUIFAX and dated 5

        September 2019 where it is established that they have proceeded to the precautionary discharge with the
        entities Testa Residencial Socimi, S.A. in the ASNEF file of the data
        associated with the claimant.

    2. EQUIFAX report dated 08/27/2019 regarding the claimant and the

        operations in the ASNEF file where it consists:
           to. In the "Name" field: the name and surname of the claimant
           b. In the "Address" field: "*** ADDRESS.1"
           c. "In the field" Ent. Informant ”:“ TESTA RESD. SOCIMI SA "
           d. In the field "Registration date": 05/20/2019
           and. In the "Balance Act. Unpaid" field: XXXX, XX


    3. EQUIFAX report dated 09/05/2019 regarding the claimant and the
        operations in the ASNEF file where there are no data.

    4. Copy of letter addressed to Testa Residencial Socimi, S.A. and sent by the

        claimant where it is stated:
           to. That this letter is an answer to the one received on
               June 2019.
           b. That on May 21, 2019 is communicated by Asnef-
               Equifax that on May 20, 2019 the Testa Residencial entity

               Socimi, S.A. You have requested registration in said file regarding your data
               personal.
           c. That Testa has never communicated to you by letter
               certified to be included in delinquency files.

    5. Copy of email addressed to the claimant's email and

        sent by the email address resolutions@testainmo.com at
        dated June 11, 2019 where it is stated, among other aspects:
           to. "Tell him that he must pay the debt he has today, if not, he will be
               will include Asnef in the delinquency file. "


       On October 23, 2019 an estimate resolution is issued.

       On July 15, 2020, Equifax Ibérica, S.L. send this Agency the following
information and statements:
        1. Query is provided to the auxiliary file of notifications in the file

        Asnef with the breakdown of the notification corresponding to the Testa entity
        Residencial Socimi, S.A. with reference 740/2019051302778.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/13








       Provides a screenshot dated 07/13/2020 of consulting letters sent
       to the claimant with issue date 05/21/2019 where the reference of
       letter 2019-05-1302778 and the entity TESTA RESIDENCIAL SO and the tax balance.

       of RRRR, RR €.

       That a copy of the Reference Inclusion Notification is provided
       740/2019051302778 issued, as well as Certification issued by the provider
       of the Generation, Printing, and Provision of the Service of
       Postal Shipping -Correos and / or Unipost-, SERVINFORM, S.A., certifying the

       realization of the reference inclusion notification, together with the rest of
       communications issued in the process generated on May 21,
       2019, without any incident occurring in the process, which would have
       prevented its execution, and that it was made available to the shipping service
       postcards on May 22, 2019.


       Provide a copy of the letter sent to the complainant dated May 21, 2019
       with reference 740/2019051302778 where it appears “We inform you that with
       date 05/20/2019 the entity TESTA RESIDENCIAL SOCIMI, S.A. has requested
       the registration in the ASNEF file the following personal data related to non-payment
       of the contract that it has with said entity: ".


       Provides certificate from SERVINFORM, S.A. as a service provider
       Generation of Inclusion Notifications of ASNEF EQUIFAX, stating
       that certifies the generation, printing, and delivery service
       postcards, on May 22, 2019 the communication with the number of

       reference 2019051302778 addressed to A.A.A. residing at *** ADDRESS. 1.
       Provide a copy of the Post Office delivery note with reference 27537-CREDI,
       with office 2812096 and dated 05/22/2019.

       Provide a copy of the ILUNION IT SERVICES certificate; S.A.U., as provider

       of the service to EQUIFAX of recording and custody of the returns of the
       notifications, stating that currently there is no deposit and custody
       at the offices of ILUNION IT SERVICES; S.A.U. the referral notification
       740/2019051302778 nor has it been subject to treatment for any reason
       return.


       On July 22, 2020, Testa Residencial Socimi, S.A. refer to this
Agency the following information and statements:

    1. That "The personalized and individualized communication sent to the claimant
       prior to the inclusion of your personal data in files of

       information on financial solvency and credit is carried out directly by
       Equifax Iberica S.L. "

       A copy of the contract of "Provision of Services for the Notification of the
       Prior Payment Requirement ”signed on October 1, 2018 between

       Equifax Iberica S.L. and Testa Residencial Socimi, S.A. (the CLIENT) where
       consists of:



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/13








       "CLAUSES:

       FIRST.- OBJECT: The object of this contract is the provision

       of EQUIFAX services to the CUSTOMER consisting of sending the letter of
       payment requirement prior to the inclusion of data in solvency files
       equity and credit, in accordance with the operations described in Annex II to
       this contract. "
    1. That "Requests are not sent by TESTA RESIDENCIAL
       SOCIMI, S.A. directly but by a third entity EQUIFAX IBERICA

       S.L. "
    2. In response to the request for the certificate from the third party sending the
       communication to the claimant, prior to the inclusion of their personal data in
       financial and credit solvency information files, it is stated that
       “Taking into account the provisions of point 2 above, according to which the

       personalized and individualized communication sent to the claimant takes
       carried out by EQUIFAX IBERICA S.L., it corresponds to said entity to present
       copy of the requested certificate. "

THIRD: On November 27, 2020, the Director of the Spanish Agency
of Data Protection agreed to initiate a sanctioning procedure to the claimed, with

in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the
Common Administrative Procedure of Public Administrations (hereinafter,
LPACAP), for the alleged violation of Article 6.1.f) of the RGPD, typified in the
Article 83.5 of the RGPD.


FOURTH: Once the aforementioned initiation agreement was notified, the defendant submitted a
allegations in which, in summary, it stated that: "the Sanctioning Body itself
makes an assessment in the Start-Up Agreement (early and lacking in motivation
any), of the responsibility of Equifax.


The Initiation Agreement specifies the amount of the reduction that would proceed in the event of
acknowledgment by Equifax of its alleged responsibility and voluntary payment of the
sanction, in the opinion of this party, the rules established in article 85 are not
applicable in the present case.

That Equifax did not include the claimant's data in the ASNEF file

since she is not the entity that manages it, but TESTA as a creditor entity,
therefore non-existent the treatment supposedly carried out by
EQUIFAX and that begins the disciplinary proceedings filed before it.

Indeed EQUIFAX acquired a series of contractual obligations in the

provision of notification delivery services (in this case, of requirements
previous payment) but this, in no case, may mean displacement of the
responsibility in a legally established obligation for the creditor to
data controller for the mere assumption of contractual obligations
by a private agreement between the parties.


Equifax Ibérica S.L. fulfilled the delivery order related to the shipment of
prior payment requirements to the claimant as shown in the
attached documents.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/13








Asnef-Equifax cautiously canceled the data at the request of the exercise of
cancellation of the affected party in the absence of response from the person in charge to guarantee
the accuracy of the data (TESTA).


That a resolution is issued declaring the nullity of the procedure or,
failing that, the imposition of a warning or warning or a reduction
significant amount of the amount established in the Initiation Agreement, in response to the
numerous concurrent circumstances in the case of fact prosecuted ”.


FIFTH: On December 29, 2020, the instructor of the procedure agreed to the
opening of a period of practical tests, taking as incorporated the
preliminary investigation actions, E / 10196/2019, as well as the documents
provided by the claimed.

SIXTH: On January 19, 2021, a resolution proposal was formulated,

proposing that EQUIFAX IBERICA be sanctioned in the amount of 50,000 euros,
S.L. with NIF B80855398, for the alleged violation of article 6.1. f) of the RGPD, in
relation with article 20.1 c) of the LOPDGDD, typified in article 83.5.a) of the
cited GDPR


That by writing dated January 28, 2021, the defendant requested an extension
term, which was granted.

SEVENTH: On February 9, 2021, the defendant makes allegations to the
resolution proposal, ratifying the previous allegations and in synthesis

states that: “both communications demonstrate the sending by Equifax of
the two previous payment requests made by Testa Residencial, S.A. (What
creditor of the debt) to the claimant prior to the inclusion of their data
in the solvency file "Asnef".

Equifax sent the two communications that Testa Residencial Socimi, S.A. I "ll guide you

by uploading the content of the letter to Equifax systems in accordance with the
operation indicated in the Contract for the provision of services in its FIFTH clause
obligations and responsibilities that “At no time will Equifax be responsible
of the content of the letter, this being the full responsibility of the Client "
thus evidencing that Equifax is a mere provider of shipping services but it is the

responsible nor does he have to know the content of the communication
regardless of whether it is a “prior payment requirement”.

Since Equifax is not responsible for the content of the communication, nor the
bound by the principle of information contained in article 20.1.c), it is by

Hence, it is completely impossible to be responsible for whether or not said requirement includes the
obligation to inform the affected party about the possibility of including their data in the
credit information systems ”.
The defendant requests the nullity or, failing that, the file of the procedure or, in its
default, the imposition of a warning or a reduction
significant amount of the amount established in the Initiation Agreement.


In view of all the actions, by the Spanish Agency for Data Protection
In the present proceeding, the following are considered proven facts,

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/13









                                 PROVEN FACTS


FIRST: It consists, in the contract of "Provision of Services for the Notification of the
Prior Payment Request ”signed on October 1, 2018 between Equifax
Iberica S.L. and Testa Residencial Socimi, S.A. that personalized communication and
individualized form sent to the claimant prior to the inclusion of their data

personal information files on financial solvency and credit, it is carried out
carried out directly by Equifax Iberica S.L. where it consists:

"CLAUSES:


FIRST.- PURPOSE: The object of this contract is the provision of
       EQUIFAX services to the CLIENT consisting of sending the letter of
       payment requirement prior to the inclusion of data in solvency files
       equity and credit, in accordance with the operations described in Annex II to
       this contract. "

 That "The request shipments are not made by TESTA RESIDENCIAL
         SOCIMI, S.A. directly but by a third entity EQUIFAX IBERICA
         S.L. "

In response to the request for the certificate of the third company sending the

communication to the claimant, prior to the inclusion of their personal data in
patrimonial solvency and credit information files, it is stated that "Having
taking into account the provisions of point 2 above, according to which the communication
personalized and individualized sent to the claimant is carried out by EQUIFAX
IBERICA S.L., it corresponds to said entity to present a copy of the requested certificate. "


SECOND: The claimant was included in the file of patrimonial solvency and of
credit on May 20, 2019, in relation to a debt, for rent,
with the Testa Residencial creditor entity.


The claimant provides both the rental contract (in whose protection clause of
data does not refer to the possibility of inclusion in credit information systems),
such as communications received from the creditor entity, requiring payment, but
without warning of its inclusion in the file of patrimonial and credit solvency.


THIRD: EQUIFAX provides a copy of the notification letter to the claimant dated
April 24, 2019, requiring payment of the debt, but there is no information
about the possibility of inclusion in said file if payment is not made.
                                                                                   -220920
                           FOUNDATIONS OF LAW

                                            I


By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in arts. 47 and 48.1 of the LOPDGDD, the Director of
The Spanish Data Protection Agency is competent to resolve this
process.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/13









                                             II


      Article 58 of the RGPD, "Powers", says:

           “2 Each supervisory authority shall have all the following powers
corrective measures listed below:
(…)
b) punish any person responsible or in charge of the treatment with warning

when the processing operations have infringed the provisions of this
Regulation;
(...)
d) order the person in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where appropriate,

in a certain way and within a specified time frame.
(…)
i) impose an administrative fine in accordance with article 83, in addition to or instead of the
measures mentioned in this section, depending on the circumstances of the case
particular
(…) "

                                            III

      The RGPD deals in its article 5 with the principles that must govern the
treatment of personal data and mentions among them that of "legality, loyalty and
transparency". The precept provides:


      "1. The personal data will be:
         a) Treaties in a lawful, loyal and transparent manner in relation to the
             interested party (<< legality, loyalty and transparency >>); "


        Article 6 of the RGPD, "Legality of the treatment", details in its section 1 the
cases in which the processing of third party data is considered lawful:

        "1. The treatment will only be lawful if at least one of the following is met
terms:
      f) the treatment is necessary for the satisfaction of legitimate interests

pursued by the data controller or by a third party, provided that on
said interests do not prevail the interests or the rights and freedoms
fundamental data of the interested party that require the protection of personal data, in
particular when the interested party is a child. The provisions of letter f) of the paragraph
first, it will not apply to the treatment carried out by public authorities in

the exercise of their functions. "

      The infringement for which the claimed entity is responsible is found
typified in article 83 of the RGPD that, under the heading "General conditions for
the imposition of administrative fines ”, it states:


      "5. Violations of the following provisions will be sanctioned, in accordance with
with section 2, with administrative fines of a maximum of EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/13








total annual global business volume of the previous financial year, opting for
the highest amount:
      a) The basic principles for the treatment, including the conditions for the

      consent in accordance with articles 5,6,7 and 9. "

       Organic Law 3/2018, on Protection of Personal Data and Guarantee of
Digital Rights (LOPDGDD) in its article 72, under the heading "Infractions
considered very serious ”provides:


      "1. Based on what is established in article 83.5 of the Regulation (E.U.)
2016/679 are considered very serious and will prescribe after three years the infractions that
suppose a substantial violation of the articles mentioned in that one and, in
in particular, the following:
        (…)

       b) The processing of personal data without the concurrence of any of the
           conditions of legality of the treatment established in article 6 of the
           Regulation (EU) 2016/679. "

                                           IV


      The documentation in the file provides evidence that the
claimed, violated article 6.1 f) of the RGPD, for data processing without
legitimation, obligation established in article 20.1 c) of the LOPDGDD, that is to say
I include the claimant's data in the Asnef file without previously requiring the
payment.


      Article 20.1 c) of the LOPDGDD establishes:

"That the creditor has informed the affected party in the contract or at the time of
require payment about the possibility of inclusion in said systems, with

indication of those in which it participates.
The entity that maintains the credit information system with data related to the
breach of monetary, financial or credit obligations must notify the
affected the inclusion of such data and will inform you about the possibility of exercising the
rights established in articles 15 to 22 of Regulation (EU) 2016/679 within
of the thirty days following the notification of the debt to the system, remaining

data blocked during that period. "

       Therefore, the data was included in the Asnef file without requiring it
prior to payment in contravention of the requirements set forth in the LOPDGDD.


      EQUIFAX provides a copy of the notification letter to the claimant dated 24
April 2019, requiring the payment of the debt, but without stating the warning that
in case of non-payment, it would be included in the capital solvency file and
of credit.


      Now, in the lease signed on August 3, 2016
with Testa as there is no information either in the contract or in the prior requirement of
payment the elements are not fulfilled so that this treatment can be presumed
protected by the legitimate interest and therefore it has been carried out without a legitimizing basis. Of

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/13








agreement with the contract for the provision of services provided between Testa and Equifax
Ibérica, this last entity will be in charge of making the request
prior payment prior to inclusion in the equity and credit solvency file,

without their sending and receiving by the claimant having been accredited.

      It is clear, and this is the essential, the above makes the data processing
of the claimant is not legitimate, since the established budgets were not given
in article 20.1 c) of the LOPDGDD.


                                            V

        In order to determine the administrative fine to be imposed, the
provisions of articles 83.1 and 83.2 of the RGPD, provisions that state:


           "Each control authority will guarantee that the imposition of fines
administrative under this article for the infractions of this
Regulations indicated in paragraphs 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive. "

       "Administrative fines will be imposed, depending on the circumstances of

each individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:

        a) the nature, severity and duration of the offense, taking into account the

        nature, scope or purpose of the processing operation in question
        as well as the number of affected stakeholders and the level of damage and
        damages they have suffered;
        b) intentionality or negligence in the infringement;
        c) any measure taken by the person in charge or in charge of the treatment

        to alleviate the damages suffered by the interested parties;
        d) the degree of responsibility of the person in charge or the person in charge of the
        treatment, taking into account the technical or organizational measures that have
        applied by virtue of articles 25 and 32;
        e) any previous infraction committed by the person in charge or the person in charge of the
        treatment;

         f) the degree of cooperation with the supervisory authority in order to establish
        remedy the violation and mitigate the possible adverse effects of the violation;
        g) the categories of personal data affected by the infringement;
        h) the way in which the supervisory authority learned of the infringement,
        in particular if the person in charge or the person in charge notified the infringement and, in such

        case, to what extent;
        i) when the measures indicated in article 58, paragraph 2, have been
        previously ordered against the person responsible or the person in charge
        in relation to the same matter, compliance with said measures;
        j) adherence to codes of conduct under article 40 or to mechanisms

        certification approved in accordance with Article 42, and
        k) any other aggravating or mitigating factor applicable to the circumstances of the
        case, such as financial benefits obtained or losses avoided, direct
        or indirectly, through the infringement. "

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/13










      Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76,
"Sanctions and corrective measures", provides:

      "two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
The following may also be taken into account:

  a) The continuing nature of the offense.
  b) The linking of the activity of the offender with the performance of treatment of

personal information.
  c) The benefits obtained as a result of the commission of the offense.

  d) The possibility that the affected person's conduct could have led to the
commission of the offense.

  e) The existence of a merger by absorption process after the commission of the
infringement, which cannot be attributed to the absorbing entity.

  f) Affecting the rights of minors.

  g) Have, when not mandatory, a data protection officer.
  h) The submission by the person in charge or in charge, on a voluntary basis, to

alternative dispute resolution mechanisms, in those cases in which
there are controversies between those and any interested party. "
      In accordance with the transcribed precepts, in order to set the amount of the

sanction of a fine to be imposed in the present case, the defendant is considered as
responsible for an offense typified in article 83.5.a) of the RGPD, they are deemed
the following factors concurrent.

      As aggravating factors the following:

- In the present case we are facing an unintentional negligent action, but
identified significant (article 83.2 b).

- The duration of the illegitimate treatment of the data of the affected party carried out by the
claimed (article 83.2 d).

     That is why it is considered appropriate to graduate the sanction to impose on the claimed person
and set it at the amount of € 50,000 for the violation of article 6.1 f) of the RGPD.


        Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of the sanctions whose existence has been accredited, the Director of the
Spanish Agency for Data Protection RESOLVES:


FIRST: IMPOSE EQUIFAX IBERICA, S.L. with NIF B80855398 for one
violation of Article 6.1.f) of the RGPD, typified in Article 83.5 of the RGPD, a
fine of fifty thousand euros (50,000 euros).


SECOND: NOTIFY this resolution to EQUIFAX IBERICA, S.L. with NIF
B80855398.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/13








THIRD: Warn the sanctioned person that the sanction imposed by a
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure

Common of Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939 / YYY5, of July 29, in relation to art. 62 of the Law
58 / YYY3, of December 17, by means of your entry, indicating the NIF of the sanctioned person and
the procedure number at the top of this document, in
the restricted account number ES00 0000 0000 0000 0000 0000, opened in the name of the

Spanish Agency for Data Protection in the banking entity CAIXABANK, S.A ..
Otherwise, it will be collected in the executive period.

Received the notification and once executive, if the date of execution is found
Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment

volunteer will be until the 20th of the following or immediately subsequent business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediate business month.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to

counting from the day after the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within two months from the

day following notification of this act, as provided in article 46.1 of the
referred Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file contentious-administrative appeal.

If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the

documentation that proves the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.


Mar Spain Martí
Director of the Spanish Agency for Data Protection



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/13


































































































C / Jorge Juan, 6 www.aepd.es

28001 - Madrid sedeagpd.gob.es